Threats to national security can surface at any level in the Department of Defense (DoD) supply chain. The defense industrial base (DIB) is a frequent target of industrial espionage, nation-state actors, and advanced persistent threats (APT). DIB organizations provide essential research, engineering, development, acquisition, delivery, sustainment, and operation of military systems. To strengthen the cybersecurity posture within the DIB supply chain, the DoD turned to Carnegie Mellon University’s Software Engineering Institute (SEI) to co-develop the Cybersecurity Maturity Model Certification (CMMC) program with the Johns Hopkins University Applied Physics Lab.
A cyber attack within the DIB supply chain threatens both its and the warfighter’s security. CMMC is a certification program that improves the security and cyber hygiene of the DIB supply chain. It ensures compliance and accountability with DoD cybersecurity requirements. Based on a clear set of measures aligned with robust National Institute of Standards and Technology (NIST) guidelines and best practices, CMMC specifications help safeguard intellectual property (IP) and controlled unclassified information (CUI) throughout the DIB.
CMMC safeguards sensitive information through the enforcement of cyber requirements derived from NIST SP 800-171 and -172.
The unique position of the SEI led the DoD to select us as co‐developer of the CMMC program. As a longtime federally funded research and development center (FFRDC), the SEI is ideally positioned at the confluence of government, industry, and academia. This gives us a unique perspective into the commercial defense ecosystem, government acquisition and compliance requirements, and technology research. Add to this our long history of capability maturity modeling—beginning with the Capability Maturity Model (CMM) and continuing through the CERT Resilience Management Model (CERT-RMM)—and the SEI has singular insights and experience related to supply chain risk assessment methodologies.
The SEI is a national resource for modern software development methods, as well as for research on cybersecurity, vulnerabilities, secure coding, cyber risk and resilience, insider threat, cybersecurity monitoring and response, cyber workforce development, and artificial intelligence (AI) incident response.
Since the inception of CMMC in 2019, the SEI has engaged directly with stakeholders to develop a model that balances the needs of the DoD with expected capabilities of DIB contractors. The SEI has worked closely with the DoD to
The program’s full implementation—when the DoD includes the CMMC Program requirements in all applicable solicitations and contracts—will transform the DIB by better protecting sensitive DoD information from adversaries. It will create a baseline for DIB contractors to implement cybersecurity requirements according to a clear set of measures applicable throughout the federal space.
The SEI CERT team continues our work on the CMMC Program. Contact the SEI CERT Division to learn how we can partner with you to help protect your organization and improve its cybersecurity.
Beginning November 10, defense contracts may require assessments under the CMMC program, which the SEI co-created, but implementation will be phased.
READThe DoD engaged with the SEI as co-developer of the CMMC because of the SEI’s unique history of contributions to the DoD.
Learn More
